SlideShare a Scribd company logo

Splunk .conf2011: Search Language: Intermediate

Download as PPT, PDF
Erin Sweeney, profile picture
Erin Sweeney

This document provides an overview of Splunk capabilities including knowledge objects, tags, event types, saved searches, alerts, and the search pipeline. It demonstrates how to use these features to better organize and analyze IT data through examples such as monitoring server activity, detecting suspicious login attempts, and tracking software sales. Advanced searching techniques including comparison operators, stats, and transaction commands are also explained to help users leverage Splunk's powerful search language.

Technology
Related topics:
Business Intelligence IT Security
1 of 37
Downloaded 103 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
Search Language - Intermediate Karen Hodges, Sr. Instructor
Karen Hodges – Senior Instructor – Splunk Over 20 years of experience in software training and education in: UNIX System Administration Intergraph GIS Systems Relational Database Management Systems BMC Remedy Mortgage Fraud Detection Real Property Title Search Splunk Your presenter . . .
Knowledge Objects Tags Event types Saved searches and alerts Advanced searching techniques Comparison operators The search pipeline Topics
Knowledge Objects
Type in keywords, hit return, get results . . . Splunk as “Search Engine”
Splunk allows you to “store” knowledge alongside your IT data Institutional knowledge For example: server function or device location Learned knowledge For example: identify crash precursors or suspicious activity patterns You store these in Splunk using Knowledge Objects So Much More than a “Search Engine”
Server names aren’t always very helpful! Sometimes they pack too much information into the name Sometimes they make them reflect their hobbies/obsessions Scenario – Confusing Server Names
Tags are metadata you can add to field values Knowledge Objects – Tags to the Rescue
Search all hosts tagged as “ webfarm ” Using Tags
IT data is full of strange and confusing message Some are alarming! Some are low key, but should be alarming Scenario – So Many Different Needles and Hays
Event types are fields based on a search – similar to a saved search Knowledge Objects – Event Types
For example: 2 events in linux_secure Save event types to differentiate these 2 events pwd_fail_known and pwd_fail_unknown Event Type Example - Different Events
For example: 2 different types of firewalls CheckPoint firewall “action=reject” Netscreen firewall “action=deny” Event Type Example – Same Event
Using Event Types Use the eventtype as you would any other field
Servers and devices run 24/7 Hackers, bugs and crashes (oh my!) are lurking 24/7 Humans aren’t 24/7 – they need things like sleep, vacations, lunch, or just a few minutes away from staring at a screen in a freezing cold server room! Scenario – 24/7 Monitoring
Searches can be run on a schedule and be setup to “do something” based on the results We call these Alerts Splunk Alerts Never Sleep!
Hackers need a user name AND a password to log in to your systems Public web pages often contain names of CEOs, sales folks, etc. splunk.com is no exception Alerting Scenario – Public User Logins
Since only certain users appear on the web page, we can give those users the tag=publicID We can use the “ pwd_fail_known ” Event Type we created earlier Leverage Tagging and Event Types
Craft the search that searches for login attempts from public users then create the alert Click next to define alert conditions Craft Your Search and Create the Alert
You can specify alert conditions which will trigger the alert In our case we are looking for four or more login attempts since after that legitimate users are locked out Alert Conditions
Can send email, create RSS feed, or trigger shell script We have opted to have the results included in our email so we can evaluate the severity of the attack easily Tracking allows us to view fired alerts in the Alert manager Alert Actions
Use the Alerts menu item in the main Splunk navigation to display the Alerts manager window. Click Results to view the events that triggered the alert Click Edit to edit the alert settings Alert Manager Failed Logins Failed Logins
Advanced Searching Techniques
Comparison operators make your searches more exacting Splunk’s full-featured search language permits you to organize and analyze data in amazing ways! So Much More than a “Search Engine”- Part II
Comparison operators != > < <= >= Towards More Sophisticated Searches
Search is a data generating command You can organize and analyze data using the search pipeline The Search Pipeline sourcetype=syslog ERROR | top user | fields - percent Fetch events from disk that match Remove column showing percentage Intermediate results table Intermediate results table Final results table Disk Summarize into table of top 10 users
After the search command use the “|” symbol to pipe your search results to a subsequent command For example here we are changing the sort order to sort by user name descending – grouping all the logins together Organize and Analyze Your Data
We’ve already seen sort, there are many MANY more . . . dedup removes duplicates Weeding out duplicate entries makes results easier to use AND keeps statistical operations more pure regex allows you filter your results using a regular expression REGEX gurus can filter using all the ?’s and *’s they want! transaction allows you to group your events by a certain field and time range See all the web pages your boss visited in the past hour from your proxy data Data Processing Commands
When you type in a command after the | symbol Splunk’s Search Assistant provides an instant mini “man page” Splunk Makes Using its Search Language Easy
The table command is useful for visually organizing events Columns are displayed in the same order of fields entered in the command Column headers are field names Rows are field values Each row represents an event View Events in a Table
The top command finds the most common values of a given field Returns top 10 results by default Automatically returns a count and percentage Adding limit=# after the top command returns the specified number of results Top Scenario – Getting Top Site Visitors
count returns the number of occurrences of a given field The by clause returns a count for each field value of a named field Stats Scenario – Counting Product Sales
Online trading activity is captured in a log file which includes each trader’s unique identification Company policy requires that we monitor each trader’s activity in hourly chunks, but the trades are all jumbled up together making it hard to spot patterns in each trader’s trades Transaction Scenario – Monitor Trading Activity
Use transaction to group each trade by TradeID Set your time span to an hour and your max pause to one hour in case some traders only have one or two trades per hour Use Transaction to Group Your Trades
Event types and tags are excellent ways to capture existent knowledge as well as knowledge learned from using Splunk Splunk’s search language includes many powerful commands which allow you to organize and analyze your data easily Summary
You’ve just seen some of the many ways Splunk can be used to leverage the intelligence in your IT data Further your Splunk education with official Splunk training Using Splunk – Gets deeper into basic search, alerts, knowledge objects, quick reports and more… Searching and Reporting with Splunk – Takes you to the next level leveraging statistical operations and reporting in Splunk Congratulations!
August 15, 2011 Questions? Karen Hodges, Sr. Instructor

More Related Content

PPTX
Leverage Machine Data
Splunk
 
PPTX
Leverage Machine Data and Deliver New Insights for Business Analytics
Shannon Cuthbertson
 
PPTX
Splunk Ninjas: New Features and Search Dojo
Splunk
 
PPTX
Get your Service Intelligence off to a Flying Start
Splunk
 
PPTX
Distributed Management Console
Splunk
 
PPTX
Softcat Splunk Discovery Day Manchester, March 2017
Splunk
 
PPTX
Power of Splunk Search Processing Language (SPL)
Splunk
 
PPTX
Power of Splunk Search Processing Language (SPL) ...
Splunk
 
Leverage Machine Data
Splunk
 
Leverage Machine Data and Deliver New Insights for Business Analytics
Shannon Cuthbertson
 
Splunk Ninjas: New Features and Search Dojo
Splunk
 
Get your Service Intelligence off to a Flying Start
Splunk
 
Distributed Management Console
Splunk
 
Softcat Splunk Discovery Day Manchester, March 2017
Splunk
 
Power of Splunk Search Processing Language (SPL)
Splunk
 
Power of Splunk Search Processing Language (SPL) ...
Splunk
 

What's hot (20)

PPTX
Machine Data 101 Hands-on
Splunk
 
PPTX
Splunk Enterpise for Information Security Hands-On
Splunk
 
PPTX
Delivering business value from operational insights at ING Bank
Splunk
 
PPTX
SplunkLive! Tampa: Using Value to Fuel Adoption
Splunk
 
PDF
Splunk for big_data
Greg Hanchin
 
PPTX
SplunkLive! - Splunk for IT Operations
Splunk
 
PPTX
Operational Security Intelligence Breakout Session
Splunk
 
PPTX
Splunk for IT Operations
Splunk
 
PPTX
Delivering Business Value from Operational Inisights at ING Bank
Splunk
 
PPTX
SplunkLive! London 2016 Splunk Overview
Splunk
 
PPTX
Machine Learning and Analytics Breakout Session
Splunk
 
PPTX
SplunkLive! Customer Presentation – HCA
Stephanie Bies
 
PPTX
How to Design, Build and Map IT and Business Services in Splunk
Splunk
 
PPTX
Power of SPL - Search Processing Language
Splunk
 
PPTX
SplunkLive! Customer Presentation – athenahealth
Splunk
 
PPTX
Explain the Value of your Splunk Deployment Breakout Session
Splunk
 
PPTX
Splunk Ninjas: New Features and Search Dojo
Splunk
 
PPTX
Customer Presentation
Splunk
 
PDF
Webinar: Was ist neu in Splunk Enterprise 6.5
Splunk
 
PPTX
Machine Learning and Analytics Breakout Session
Splunk
 
Machine Data 101 Hands-on
Splunk
 
Splunk Enterpise for Information Security Hands-On
Splunk
 
Delivering business value from operational insights at ING Bank
Splunk
 
SplunkLive! Tampa: Using Value to Fuel Adoption
Splunk
 
Splunk for big_data
Greg Hanchin
 
SplunkLive! - Splunk for IT Operations
Splunk
 
Operational Security Intelligence Breakout Session
Splunk
 
Splunk for IT Operations
Splunk
 
Delivering Business Value from Operational Inisights at ING Bank
Splunk
 
SplunkLive! London 2016 Splunk Overview
Splunk
 
Machine Learning and Analytics Breakout Session
Splunk
 
SplunkLive! Customer Presentation – HCA
Stephanie Bies
 
How to Design, Build and Map IT and Business Services in Splunk
Splunk
 
Power of SPL - Search Processing Language
Splunk
 
SplunkLive! Customer Presentation – athenahealth
Splunk
 
Explain the Value of your Splunk Deployment Breakout Session
Splunk
 
Splunk Ninjas: New Features and Search Dojo
Splunk
 
Customer Presentation
Splunk
 
Webinar: Was ist neu in Splunk Enterprise 6.5
Splunk
 
Machine Learning and Analytics Breakout Session
Splunk
 
Ad

Similar to Splunk .conf2011: Search Language: Intermediate (20)

PDF
SplunkLive! Washington DC May 2013 - Search Language Beginner
Splunk
 
PPTX
Welcome Webinar Slides
Sumo Logic
 
PPTX
Splunk for ITOA Breakout Session
Splunk
 
PPTX
SplunkLive Oslo/Stockholm Beginner Workshop
jenny_splunk
 
PDF
Getting Started with Splunk Enterprise
Splunk
 
PPT
Splunk .conf2011: Search Language: Beginner
Erin Sweeney
 
PPTX
SplunkLive! - Getting started with Splunk
Splunk
 
PPTX
Getting started with Splunk Breakout Session
Splunk
 
PPT
Splunk .conf2011: Real Time Alerting and Monitoring
Erin Sweeney
 
PPTX
What is going on? Application Diagnostics on Azure - Copenhagen .NET User Group
Maarten Balliauw
 
PPTX
Setting Up Sumo Logic - Apr 2017
Sumo Logic
 
PDF
Splunk value in general in the market of ART
amaliaalassaf
 
PPTX
SplunkLive! Getting Started with Splunk Enterprise
Splunk
 
PDF
Sumo Logic QuickStart Webinar - Jan 2016
Sumo Logic
 
PPTX
Setting up Sumo Logic - June 2017
Sumo Logic
 
PPTX
Setting Up Sumo Logic - Sep 2017
mariosany
 
PPTX
SplunkLive! Munich 2018: Data Onboarding Overview
Splunk
 
PPTX
Getting started with Splunk
Sanjib Dhar
 
PPT
Implementing Powerful IT Search on the Cloud
RightScale
 
PPT
Addmi 02-addm overview
odanyboy
 
SplunkLive! Washington DC May 2013 - Search Language Beginner
Splunk
 
Welcome Webinar Slides
Sumo Logic
 
Splunk for ITOA Breakout Session
Splunk
 
SplunkLive Oslo/Stockholm Beginner Workshop
jenny_splunk
 
Getting Started with Splunk Enterprise
Splunk
 
Splunk .conf2011: Search Language: Beginner
Erin Sweeney
 
SplunkLive! - Getting started with Splunk
Splunk
 
Getting started with Splunk Breakout Session
Splunk
 
Splunk .conf2011: Real Time Alerting and Monitoring
Erin Sweeney
 
What is going on? Application Diagnostics on Azure - Copenhagen .NET User Group
Maarten Balliauw
 
Setting Up Sumo Logic - Apr 2017
Sumo Logic
 
Splunk value in general in the market of ART
amaliaalassaf
 
SplunkLive! Getting Started with Splunk Enterprise
Splunk
 
Sumo Logic QuickStart Webinar - Jan 2016
Sumo Logic
 
Setting up Sumo Logic - June 2017
Sumo Logic
 
Setting Up Sumo Logic - Sep 2017
mariosany
 
SplunkLive! Munich 2018: Data Onboarding Overview
Splunk
 
Getting started with Splunk
Sanjib Dhar
 
Implementing Powerful IT Search on the Cloud
RightScale
 
Addmi 02-addm overview
odanyboy
 
Ad

Recently uploaded (20)

PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PPT
Teaching material agriculture food technology
LiaRayya
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Teaching material agriculture food technology
LiaRayya
 

Splunk .conf2011: Search Language: Intermediate

  • 1. Search Language - Intermediate Karen Hodges, Sr. Instructor
  • 2. Karen Hodges – Senior Instructor – Splunk Over 20 years of experience in software training and education in: UNIX System Administration Intergraph GIS Systems Relational Database Management Systems BMC Remedy Mortgage Fraud Detection Real Property Title Search Splunk Your presenter . . .
  • 3. Knowledge Objects Tags Event types Saved searches and alerts Advanced searching techniques Comparison operators The search pipeline Topics
  • 5. Type in keywords, hit return, get results . . . Splunk as “Search Engine”
  • 6. Splunk allows you to “store” knowledge alongside your IT data Institutional knowledge For example: server function or device location Learned knowledge For example: identify crash precursors or suspicious activity patterns You store these in Splunk using Knowledge Objects So Much More than a “Search Engine”
  • 7. Server names aren’t always very helpful! Sometimes they pack too much information into the name Sometimes they make them reflect their hobbies/obsessions Scenario – Confusing Server Names
  • 8. Tags are metadata you can add to field values Knowledge Objects – Tags to the Rescue
  • 9. Search all hosts tagged as “ webfarm ” Using Tags
  • 10. IT data is full of strange and confusing message Some are alarming! Some are low key, but should be alarming Scenario – So Many Different Needles and Hays
  • 11. Event types are fields based on a search – similar to a saved search Knowledge Objects – Event Types
  • 12. For example: 2 events in linux_secure Save event types to differentiate these 2 events pwd_fail_known and pwd_fail_unknown Event Type Example - Different Events
  • 13. For example: 2 different types of firewalls CheckPoint firewall “action=reject” Netscreen firewall “action=deny” Event Type Example – Same Event
  • 14. Using Event Types Use the eventtype as you would any other field
  • 15. Servers and devices run 24/7 Hackers, bugs and crashes (oh my!) are lurking 24/7 Humans aren’t 24/7 – they need things like sleep, vacations, lunch, or just a few minutes away from staring at a screen in a freezing cold server room! Scenario – 24/7 Monitoring
  • 16. Searches can be run on a schedule and be setup to “do something” based on the results We call these Alerts Splunk Alerts Never Sleep!
  • 17. Hackers need a user name AND a password to log in to your systems Public web pages often contain names of CEOs, sales folks, etc. splunk.com is no exception Alerting Scenario – Public User Logins
  • 18. Since only certain users appear on the web page, we can give those users the tag=publicID We can use the “ pwd_fail_known ” Event Type we created earlier Leverage Tagging and Event Types
  • 19. Craft the search that searches for login attempts from public users then create the alert Click next to define alert conditions Craft Your Search and Create the Alert
  • 20. You can specify alert conditions which will trigger the alert In our case we are looking for four or more login attempts since after that legitimate users are locked out Alert Conditions
  • 21. Can send email, create RSS feed, or trigger shell script We have opted to have the results included in our email so we can evaluate the severity of the attack easily Tracking allows us to view fired alerts in the Alert manager Alert Actions
  • 22. Use the Alerts menu item in the main Splunk navigation to display the Alerts manager window. Click Results to view the events that triggered the alert Click Edit to edit the alert settings Alert Manager Failed Logins Failed Logins
  • 24. Comparison operators make your searches more exacting Splunk’s full-featured search language permits you to organize and analyze data in amazing ways! So Much More than a “Search Engine”- Part II
  • 25. Comparison operators != > < <= >= Towards More Sophisticated Searches
  • 26. Search is a data generating command You can organize and analyze data using the search pipeline The Search Pipeline sourcetype=syslog ERROR | top user | fields - percent Fetch events from disk that match Remove column showing percentage Intermediate results table Intermediate results table Final results table Disk Summarize into table of top 10 users
  • 27. After the search command use the “|” symbol to pipe your search results to a subsequent command For example here we are changing the sort order to sort by user name descending – grouping all the logins together Organize and Analyze Your Data
  • 28. We’ve already seen sort, there are many MANY more . . . dedup removes duplicates Weeding out duplicate entries makes results easier to use AND keeps statistical operations more pure regex allows you filter your results using a regular expression REGEX gurus can filter using all the ?’s and *’s they want! transaction allows you to group your events by a certain field and time range See all the web pages your boss visited in the past hour from your proxy data Data Processing Commands
  • 29. When you type in a command after the | symbol Splunk’s Search Assistant provides an instant mini “man page” Splunk Makes Using its Search Language Easy
  • 30. The table command is useful for visually organizing events Columns are displayed in the same order of fields entered in the command Column headers are field names Rows are field values Each row represents an event View Events in a Table
  • 31. The top command finds the most common values of a given field Returns top 10 results by default Automatically returns a count and percentage Adding limit=# after the top command returns the specified number of results Top Scenario – Getting Top Site Visitors
  • 32. count returns the number of occurrences of a given field The by clause returns a count for each field value of a named field Stats Scenario – Counting Product Sales
  • 33. Online trading activity is captured in a log file which includes each trader’s unique identification Company policy requires that we monitor each trader’s activity in hourly chunks, but the trades are all jumbled up together making it hard to spot patterns in each trader’s trades Transaction Scenario – Monitor Trading Activity
  • 34. Use transaction to group each trade by TradeID Set your time span to an hour and your max pause to one hour in case some traders only have one or two trades per hour Use Transaction to Group Your Trades
  • 35. Event types and tags are excellent ways to capture existent knowledge as well as knowledge learned from using Splunk Splunk’s search language includes many powerful commands which allow you to organize and analyze your data easily Summary
  • 36. You’ve just seen some of the many ways Splunk can be used to leverage the intelligence in your IT data Further your Splunk education with official Splunk training Using Splunk – Gets deeper into basic search, alerts, knowledge objects, quick reports and more… Searching and Reporting with Splunk – Takes you to the next level leveraging statistical operations and reporting in Splunk Congratulations!
  • 37. August 15, 2011 Questions? Karen Hodges, Sr. Instructor

Editor's Notes

  • #5: How can you leverage Splunk?
  • #24: How can you leverage Splunk?